id: iam-unapproved-policy
info:
  name: Unapproved IAM Policy Attachments
  author: princechaddha
  severity: high
  description: |
    Checks for the attachment of unapproved Amazon IAM managed policies to IAM roles, users, or groups, ensuring compliance with organizational access policies
  reference:
    - https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy.html
  tags: cloud,devops,aws,amazon,iam,ssl,tls,aws-cloud-config

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      aws iam get-policy  --policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess  --query 'Policy.{"AttachmentCount": AttachmentCount}'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "AttachmentCount"

      - type: word
        part: body
        words:
          - '"AttachmentCount": 0'
        negative: true

    extractors:

      - type: dsl
        dsl:
          - '"Unapproved IAM policy is used within your AWS cloud account"'
# digest: 4a0a00473045022100cf22f4542262ded32bcf64050e268d3b514e907385f8c67a8a4f888302bb48b202206b2ee99707ba578560bc83ad3ceeae5e3981288199d898d27d0090f34f6af408:922c64590222798bb761d5b6d8e72950